W3C home > Mailing lists > Public > public-webauthn@w3.org > May 2021

Re: [webauthn] Support for raw cryptographic signatures (#1611)

From: David Waite via GitHub <sysbot+gh@w3.org>
Date: Wed, 12 May 2021 09:19:55 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-839612634-1620811193-sysbot+gh@w3.org>
This appears to be a duplicate of #1595 and #1608.

A raw signature provides integrity but does not provide the guarantees necessary for authentication. The purpose of the public key credentials is exclusively about providing information about the associated authentication event handled by the hardware. It is highly unlikely the same key pair would be allowed to be used to sign arbitrary messages, as this would allow interception of requests and forgery of authentication responses. 

Putting this aside, authenticator implementations today would also not support this extension, leaving compatibility to a subset of future platform versions and hardware - possibly subsetted further by the tendency of such distributed systems to use more exotic cryptography primitives.

In addition, there are no guarantees about the permanence of Web Authentication public key credentials by authenticators. A platform authenticator may theoretically be backed by local storage, with the same removal policy as a non-exportable WebCrypto key in javascript.

-- 
GitHub Notification of comment by dwaite
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1611#issuecomment-839612634 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 12 May 2021 09:19:56 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:43 UTC